Canadian Musician - September/October 2020 | Page 62

BUSINESS
Alayna Kolodziechuk is a corporate and privacy lawyer at entertainment law firm Taylor Oballa Murray Leyland LLP.
On behalf of the Canadian Bar Association, Alayna has participated in submissions to government on privacy at the
border, the new Digital Charter, the Anti-Terrorism Act, and the Canada Elections Act. www.tomllawyers.com.
By Alayna Kolodziechuk
Privacy Law for Artists
Part 2: What Musicians Need to Know About Their
Privacy Obligations
Artists have more opportunities than
ever to connect directly with fans
through apps and social networks,
and online followers now play a key
role in the music business.
Activities from selling merchandise to scheduling
tour locations count on online engagement
with contacts. Collecting information about an
artist’s followers (names, contact information,
payment information, opinions, and views) can
be helpful if not necessary for an artist’s career.
In part one of this article, we talked about the
history and importance of privacy as a universal
human right. The collection, use, and disclosure
of personal information for business purposes
has to be balanced by certain privacy protections
– if you collect information through your
website, online store, or social accounts, you are
legally responsible for that information and have
to meet certain standards in doing so.
In Canada, the Personal Information Protection
and Electronic Documents Act (PIPEDA) is
the national standard. The website for the Office
of the Privacy Commissioner (Canada) makes
available many helpful guides and tools for free.
A General Rule
The less information you collect, the less
you have to manage and the less you could
ultimately face liability for. You should limit how
many people can access the information, make
sure the information is only used for proper
purposes, and limit how long you plan to keep
it. Information should be safely stored until
destroyed, encrypted, and/or de-identified.
*Tip: Avoid being tempted to collect whatever
information you can from fans and website
visitors. Make sure your website doesn’t ask users
for sensitive information like specific birth date or
gender identity. For demographic indicators, can
you collect city/region information rather than a
complete mailing address? Will an email address
suffice over a physical address altogether?
Legal Requirements
Privacy protection laws require that you:
• Have a privacy policy. To meet legal
requirements, the privacy policy for your
website/online store will have to clearly
let users know things like what information
you collect, for what purposes,
with whom it is shared, and where/for
how long it is stored. Links to the privacy
policy should appear on each page of
the website. (In the footer is fine.)
• Name a privacy officer. Display contact
information for the person responsible
for privacy matters.
• Respect requests and consent. Requests
for information or withdraws of consent
are addressed by the privacy officer
without complication or delay.
• Use security measures. Adequate security
measures such as passwords and encryption
can prevent data breaches/minimize
the harm that can come from a breach.
• Privacy training. Staff or representatives
handling data on your behalf need to be
properly trained.
• Contain and report privacy breaches. Be
prepared with policies and training to
identify and contain privacy breaches
and report publicly as may be required.
*Tip: Don’t forget about cookies. Cookies
are bits of data that improve internet functions
by saving data to increase convenience. Online
shopping carts work with the use of cookies,
as do functions like the Remember Me option
for return users. Websites that additionally use
cookies to monitor user activity, especially after a
browser session has ended, are problematic and
should be avoided. Depending on your website,
you may need to have a specific cookies policy.
*Tip: Talk to your web developer about managing
your privacy obligations through website
features or other software:
• On the back end, you’ll want to have
a way to track contacts by their name,
date/circumstances of consent, and the
scheduled destruction date.
• Users should be provided with the means
to access, update, edit, or delete any
account or registration information.
• Collecting personal information of minors
should be avoided, and in particular your
website should not collect information
regarding minors under the age of 13.
• If you disclose information to sponsors
or advertisers, it should be in anonymous
aggregate form only.
Contracts with Third Parties
Privacy considerations are coming up more and
more in music contracts. All individuals you hire
to conduct business on your behalf should be
contractually required to read and follow the
provisions of your privacy policy. Violation of the
policy should result in termination.
Given recent legal changes, you can expect
that members of your team from the label to
ticket agents may request your privacy policy
because they’ll need to confirm on their own
behalf that they have the lawful right to access
the third-party information you’ll be providing.
Privacy aspects of music contracts can be complex.
You should always have independent legal
advice regarding contracts you are entering into.
*Tip: Have a proper privacy policy in place
sooner rather than later so that as your following
grows you know you have the consents you and
your team need. If you collect information from
users that are outside of Canada, laws outside of
Canada are likely to apply. Given legal and policy
developments, you should periodically review
your privacy policies and practices.
The information in this article is not legal advice.
Address your specific circumstances with a lawyer.
You can only rely on advice that comes from
your own lawyer.
62 CANADIAN MUSICIAN